Tutorial: IPv6 Basics - ENOG

Tutorial: IPv6 Basics Marco Hogewoning RIPE NCC Trainer ENOG3, May 2012

IANA IPv4 Pool 40%

30%

20%

10%

0% 2000

2001

ENOG3 IPv6 Tutorial

2002

2003

2004

2005

2006

2007

2008

2009

2010

2011

2

IPv4 Exhaustion Phases

IPv4 still available. RIPE NCC continues distributing it

RIPE NCC’s allocation policy from last /8 applies

RIPE NCC can only distribute IPv6

time

now IANA pool exhausted

?

RIPE NCC reaches final /8

RIPE NCC pool exhausted

Each of the 5 RIRs given a /8

ENOG3 IPv6 Tutorial

3

“Run Out Fairly” •

Gradually reduced the allocation and assignment period from the original 24 months to: – January – July

2010: 9 months

– January – July

•

2010: 12 months 2011: 6 months

2011:! ! 3 months

50% has to be in use at half the period

ENOG3 IPv6 Tutorial

4

Allocations From the Final /8 •

When the RIPE NCC reaches the final /8: – Every

•

member can get a /22 (1024 addresses)

– Only

if they already have IPv6 addresses

– Only

when there is justified need

Current policy does not allow for PI assignments – Policy

proposal 2012-04 under discussion

– Intends

ENOG3 IPv6 Tutorial

to allow for PI assignments

5

IPv4 Address Transfers •

Transfers allowed between RIPE NCC Members – Only

if they are not in use

– Receiver – Minimum

•

can prove he needs them size is a /21

Inter RIR transfers are being discussed – policy

proposals 2012-02 and 2012-03

– Change – Allow ENOG3 IPv6 Tutorial

the allocation period back to 24 months

transfers to and from the RIPE NCC region 6

RIPE NCC IPv4 Pool

ENOG3 IPv6 Tutorial

7

Sustaining Growth •

IPv4 will not be able to sustain the growth of the Internet: – More

people online every year

– Multiple – The

•

devices per person

Internet of Things

The world needs an alternative

ENOG3 IPv6 Tutorial

8

IPv6

Internet Protocol Version 6 •

Developed by the IETF in the early nineties

•

Became a standard in 1995

•

Uses 128 bit addresses – Instead

•

of IPv4’s 32 bits

IPv4 and IPv6 are not compatible – They

ENOG3 IPv6 Tutorial

can’t talk to each other without help

10

340282366920938463463374607431768211456 (4294967296)

IPv6 Addresses •

Addresses are written down using hexadecimal: –0

123456789abcdef

•

Grouped in 8 blocks of 4 digits

•

Separated by colons

2001:0db8:3042:0002:5a55:caff:fef6:bdbf

ENOG3 IPv6 Tutorial

12

IPv6 Address Notation •

Addresses can be shortened – Leading

zeroes can be removed

– Multiple

sequences of “0000” can be removed, replacing them with a double colon “::”

ENOG3 IPv6 Tutorial

13

IPv6 Address Notation •

Addresses can be shortened – Leading

zeroes can be removed

– Multiple

sequences of “0000” can be removed, replacing them with a double colon “::”

2001:0db8:0000:0000:5a55:0302:fef6:0012

ENOG3 IPv6 Tutorial

13

IPv6 Address Notation •

Addresses can be shortened – Leading

zeroes can be removed

– Multiple

sequences of “0000” can be removed, replacing them with a double colon “::”

2001:0db8:0000:0000:5a55:0302:fef6:0012 2001:db8:0:0:5a55:302:fef6:12

ENOG3 IPv6 Tutorial

13

IPv6 Address Notation •

Addresses can be shortened – Leading

zeroes can be removed

– Multiple

sequences of “0000” can be removed, replacing them with a double colon “::”

2001:0db8:0000:0000:5a55:0302:fef6:0012 2001:db8:0:0:5a55:302:fef6:12 2001:db8::5a55:302:fef6:12 ENOG3 IPv6 Tutorial

13

IPv6 Subnetting •

Subnets follow CIDR rules: –A

subnet boundary can be anywhere

– Subnet

•

mask is noted with a “/”, e.g. /64

The standard says every subnet must be a /64 – Defines

the host part of the address to be 64 bits

– Exception

ENOG3 IPv6 Tutorial

is /127 for point-to-point on routers

14

IPv6 Subnetting 2001:0DB8:0000:0000:0000:0000:0000:0000 0000:0000 64 bits interface ID

/64 /60 = 16 /64 /56 = 256 /64 /52 = 4096 /64 /48 = 65536 /64 /32 = 65536 /48 Contact Training Services: [email protected] Follow us on Twitter: www.twitter.com/TrainingRIPENCC www.ripe.net

Getting IPv6 Addresses

IPv6 Address Distribution /3

IANA

/12

RIR

/32

/48

Allocation ENOG3 IPv6 Tutorial

LIR

/XX

End User

/48

PA Assignment

PI Assignment 17

Provider Aggregatable IPv6 •

To receive an IPv6 Allocation – Be

a member of the RIPE NCC

– Have

•

a plan to deploy IPv6

Minimum allocation size is /32 – More

ENOG3 IPv6 Tutorial

if you can prove you have the customers

18

Customer Assignments •

Every “end site” can be assigned up to a /48 without prior approval of the RIPE NCC – That – If

you need more, ask for approval first

– Or

•

is 65536 subnets per site

make a sub-assignment

Assignments for your own infrastructure – /48

per Point of Presence

– One

additional /48 for the core network

ENOG3 IPv6 Tutorial

19

Provider Independent Assignments •

PI addresses also possible in IPv6 – Must

have a contract with an LIR

– Minimum – More

•

assignment size is a /48

if there is justified need

No sub-assignments are allowed – Not – If

even a single address for the connection

you have customers, you can not use PI for them

ENOG3 IPv6 Tutorial

20

Registration in the RIPE Database •

All sub-allocations and assignments must be registered to make them valid

•

Large numbers of assignments can be grouped – Status

“AGGREGATED-BY-LIR”

– Indicates – Size

multiple assignments

indicated by “assignment-size”

ENOG3 IPv6 Tutorial

21

Grouping Assignments inet6num: netname: descr: descr: country: admin-c: tech-c: status: assignment-size: mnt-by: notify: changed: source: ENOG3 IPv6 Tutorial

2001:db8:1000::/36 My-ASSIGNMENTS Represents multiple customers Colocation services NL BN649-RIPE BN649-RIPE AGGREGATED-BY-LIR 48 ISP-MNT [email protected] [email protected] 20110218 RIPE 22

Creating an Addressing Plan

Aggregation vs Conservation •

In IPv4 you can only get the addresses you need – Number

of machines is what counts

– Multiple

small assignments are common

– Administrative

•

ease is not allowed

IPv6 takes a different approach – Number

of machines is no longer important

– Aggregation

ENOG3 IPv6 Tutorial

gets a much bigger role

24

Count the Number of Subnets •

Every subnet has to be a /64 – Number

•

of hosts becomes irrelevant (2^64)

Keep some room for growth – We –A

can’t predict the future

single subnet probably is not enough

– You

can assign up to a /48 if needed

ENOG3 IPv6 Tutorial

25

Making Customer Assignments •

Don’t be too conservative

•

Assign a generous amount of subnets

•

/56 is a popular size for residential – Allows

for 256 subnets

– Future

proof

•

Business customers often get a /48

•

You don’t want to renumber later on

ENOG3 IPv6 Tutorial

26

Administrative Ease •

If possible assign on 4 bit boundaries – Matches

•

a hexadecimal digit

– Easier

to read and remember

– Aligns

with reverse DNS zones

Possibly follow the structure of the network or organisation – Can

aid in access control and troubleshooting

ENOG3 IPv6 Tutorial

27

“Smart” Addresses Example •

Assume you got 2001:db8:1234::/48

•

In your subnet 2001:0db8:1234:XYZZ::/64 –X

can represent a location, i.e. “north building”

–Y

can represent a function, i.e. “workstations”

– ZZ

•

can represent the specific subnet (number)

2001:0db8:1234:1316::/64 could mean: – South

ENOG3 IPv6 Tutorial

building, printers, area 16 (accounting)

28

Need Help Making a Plan? •

Surfnet, the Dutch NREN, prepared a document – How

•

to divide your /48 on a site?

Available in English on our website

https://www.ripe.net/lir-services/training/material/IPv6-for-LIRs-Training-Course/IPv6_addr_plan4.pdf

ENOG3 IPv6 Tutorial

29

Deploying IPv6

Deploying IPv6 •

IPv4 and IPv6 are not compatible by design – Allows

•

To communicate freely a computer needs both an IPv4 and IPv6 address – This

•

to deploy IPv6 without breaking things

is known as “Dual Stack”

It is all about adding IPv6 to your network – IPv4

will remain as well for now

ENOG3 IPv6 Tutorial

31

IPv6 on the LAN •

Configuration can happen automatically: – Discovering – Assigning – Get

•

your default gateway

yourself an address

a DNS resolver address

All based on ICMPv6 – Uses

ENOG3 IPv6 Tutorial

multicast

32

Stateless Address Autoconfiguration •

Host will automatically start looking for a router

•

Response will contain: Router’s address - One or more link prefixes - SLAAC allowed yes/no - MTU -

EUI-64

Link Prefix

ENOG3 IPv6 Tutorial

48 bits - MAC Address

FF

FE

Interface ID

33

DHCPv6 •

You can use DHCPv6 to get additional info – DNS

•

Resolver addresses

Alternatively you can also use it to handout IPv6 addresses: – Controlled – Switch

ENOG3 IPv6 Tutorial

by the network operator

of SLAAC in the router advertisements

34

Privacy Concerns •

SLAAC uses a modified mac address

•

Makes it possible to trace a device

•

Can be a security risk as well

•

RFC 4941 “Privacy Extensions”: – Use

random 64 bit number for the host part

– Change

ENOG3 IPv6 Tutorial

the number regularly

35

Security Considerations •

Everybody can claim to be a router – Use

RA Guard to filter unauthorised RAs (RFC 6105)

– SEND

•

under development as alternative (RFC 3971)

Leaking route advertisements – Cisco

switches on RA by default

– Windows, –A

OS X and others will default accept

machine can easily get IPv6 unnoticed

ENOG3 IPv6 Tutorial

36

DNS •

Works the same as IPv4 – AAAA

•

Host can request both A and AAAA records – When – Use

•

record for IPv6 addresses Dual Stacked (IPv4 and IPv6)

the one that performs best

Always advertise both IPv4 and IPv6 – Do

not make a decision based on who asks

ENOG3 IPv6 Tutorial

37

Reverse DNS •

RIPE NCC delegates on allocation or assignment

•

Example prefix 2001:db8::/32

ENOG3 IPv6 Tutorial

38

Reverse DNS •

RIPE NCC delegates on allocation or assignment

•

Example prefix 2001:db8::/32 2001 :db8

ENOG3 IPv6 Tutorial

38

Reverse DNS •

RIPE NCC delegates on allocation or assignment

•

Example prefix 2001:db8::/32 2001 :0db8

ENOG3 IPv6 Tutorial

38

Reverse DNS •

RIPE NCC delegates on allocation or assignment

•

Example prefix 2001:db8::/32 2001 :0db8 8.b.d.0.1.0.0.2.ip6.arpa

ENOG3 IPv6 Tutorial

38

Reverse DNS •

RIPE NCC delegates on allocation or assignment

•

Example prefix 2001:db8::/32 2001 :0db8 8.b.d.0.1.0.0.2.ip6.arpa

2001:db8:3042:2:5a55:caff:fef6:bdbf

ENOG3 IPv6 Tutorial

38

Reverse DNS •

RIPE NCC delegates on allocation or assignment

•

Example prefix 2001:db8::/32 2001 :0db8 8.b.d.0.1.0.0.2.ip6.arpa

2001:db8:3042:2:5a55:caff:fef6:bdbf f.b.d.b.6.f.e.f.f.f.a.c.5.5.a.5.2.0.0.0.2.4.0.3.8.b.d.0.1.0.0.2

ENOG3 IPv6 Tutorial

PTR

host.example.org

38

IPv6 Domain Object domain:!! ! descr:! ! ! admin-c:! ! tech-c:!! ! zone-c:!! ! nserver:! ! nserver:! ! mnt-by:!! ! mnt-lower:! changed:! ! source:!! !

ENOG3 IPv6 Tutorial

! 4.6.0.0.c.7.6.0.1.0.0.2.ip6.arpa ! RIPE Meetings ! JDR-RIPE ! OPS4-RIPE ¡!OPS4-RIPE ! server.ripemtg.ripe.net ! sec1.authdns.ripe.net ! RIPE-NCC-MNT ! RIPE-NCC-MNT ! [email protected] 20091002 ! RIPE

39

Making the Plan

Make Sure You Have a Plan •

In the near future you need IPv6

•

Take a phased approach: – Make

an inventory of what you need

– When

purchasing add demand for IPv6 support

– Identify – Plan

•

which elements need replacing

every step and test it before deploying

No longer depend on IPv4 alone

ENOG3 IPv6 Tutorial

41

Business Case •

The Internet is no longer equal to IPv4 – Make

•

Don’t make IPv6 a product – It

•

sure there is feature parity

is Internet connectivity you are selling

Spent money now to save it later

ENOG3 IPv6 Tutorial

42

IPv6 Act Now! (but take it slowly)

More Information

RIPE NCC IPv6 Training Course •

Open to all members free of charge

•

One day course in which you learn:

•

– How

to create a deployment plan for your organisation

– How

to make an addressing plan

– How

to make assignments

– How

to deploy alternative transitioning techniques

See http://www.ripe.net/lir-services/training

ENOG3 IPv6 Tutorial

45

Ripe-501Document •

“Requirements for IPv6 in ICT Equipment”

•

Best Current Practice describing what to ask for when requesting IPv6 Support

•

Useful for tenders and RFPs

•

Originated in the Slovenian Government – Adopted

•

by various others (Germany, Sweden)

Will be updated soon now

ENOG3 IPv6 Tutorial

46

IPv6 CPE Survey •

Originally it was very hard to get IPv6 ready CPE

•

Things have changed quite a bit – Lot

•

of vendors produce IPv6 ready CPE

Working on an updated version – Will

ask vendors for the latest status

ENOG3 IPv6 Tutorial

47

IPv6 Act Now •

Dedicated website about IPv6 Deployment – http://www.ipv6actnow.org

•

[email protected] – One

contact point for IPv6 matters

– Feedback,

ENOG3 IPv6 Tutorial

suggestions and comments

48

Other Sources •

RIPE IPv6 Working Group – http://www.ripe.net/ripe/groups/wg/ipv6

•

Cluenet mailing list –

•

ARIN IPv6 Wiki –

•

http://lists.cluenet.de/mailman/listinfo/ipv6-ops http://www.getipv6.info/index.php

ENOG mailing list –

http://www.enog.org/mailing-list/

ENOG3 IPv6 Tutorial

49

Follow Us

@TrainingRIPENCC

ENOG3 IPv6 Tutorial

50

Questions?